New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separate .flyrc into two files - one with targets and one with bearer tokens #5242
Comments
I can see merit in splitting up the sensitive information from the configuration. With #6017, this sensitive information could extend beyond tokens, so maybe we can use Rather than using We should still support |
I think this is a more complex issue than meets the eye. By using Properly implementing this would most likely require a few other changes like:
One thing that seems clear to me from reading through golang/go#29960 is that expectations when it comes to storing things beyond To me, this smells of complexity. If we are to take cues from say |
👍
It's not just for the security benefits, it's also for putting |
What challenge are you facing?
As an individual Concourse admin of a variety of Concourse instances with a variety of teams in each Concourse instance, I would like to keep my
.flyrc
in version control along with the rest of mydotfiles
, for a) backup purposes and b) to have an easier transition when using different workstations.What would make this better?
Transition from
$HOME/.flyrc
to using$XDG_CONFIG_HOME/concourse/fly.yaml
(listing the targets) and$XDG_RUNTIME_DIR/concourse/fly-tokens.yaml
(listing the bearer tokens that are used when logged into specific targets). The$XDG_CONFIG_HOME/concourse/fly.yaml
file can then be version-controlled.This has the additional security benefit of ensuring that the user is effectively logged out of all of their targets when they log out of their machine (as
$XDG_RUNTIME_DIR
is deleted when the user logs out), and does the groundwork necessary to build a user daemon that could automatically log a user into each of the user's fly targets upon workstation login, and rotate the bearer tokens so that the user stays logged in while they stay logged into their workstation.Are you interested in implementing this yourself?
Sorry, I don't have the time at this moment.
The text was updated successfully, but these errors were encountered: